Using IAM Policies with AWS KMS

You can use IAM policies in combination with key
policies to control access to your customer master keys (CMKs) in AWS KMS.

Note

This section discusses using IAM in the context of AWS KMS. It doesn't provide detailed
information about the IAM service. For complete IAM documentation, see the
IAM User Guide.

Policies attached to IAM identities (that is, users, groups, and roles) are called
identity-based policies (or IAM policies), and
policies attached to resources outside of IAM are called resource-based
policies. In AWS KMS, you must attach resource-based policies to your CMKs. These are
called key policies. All KMS CMKs have a key policy, and you must use it to
control access to a CMK. IAM policies by themselves are not sufficient to allow access
to a
CMK, though you can use them in combination with a CMK's key policy. To do so, ensure
that CMK's
key policy includes the policy
statement that enables IAM policies.

Overview of IAM Policies

You can use IAM policies in the following ways:

Attach a permissions policy to a user or a group
– You can attach a policy that allows an IAM user or group of users to, for
example, create new CMKs.

Attach a permissions policy to a role for federation or
cross-account permissions – You can attach an IAM policy to an IAM
role to enable identity federation, allow cross-account permissions, or give permissions
to applications running on EC2 instances. For more information about the various use
cases
for IAM roles, see IAM Roles in the
IAM User Guide.

The following example shows an IAM policy with AWS KMS permissions. This policy allows
the
IAM identities to which it is attached to retrieve a list of all CMKs and aliases.

This policy doesn't specify the Principal element because in IAM policies
you don't specify the principal who gets the permissions. When you attach this policy
to an
IAM user, that user is the implicit principal. When you attach this policy to an IAM
role,
the assumed role user gets the permissions.

Permissions Required to Use the AWS KMS Console

To work with the AWS KMS console, users must have a minimum set of permissions that
allow
them to work with the AWS KMS resources in their AWS account. In addition to these
AWS KMS
permissions, users must also have permissions to list IAM users and roles. If you
create an
IAM policy that is more restrictive than the minimum required permissions, the AWS
KMS console
won't function as intended for users with that IAM policy.

AWS Managed (Predefined) Policies for AWS KMS

AWS addresses many common use cases by providing standalone IAM policies that are
created and managed by AWS. These are called AWS managed policies.
AWS managed policies provide the necessary permissions for common use cases so you
don't
have to investigate which permissions are needed. For more information, see AWS Managed
Policies in the IAM User Guide.

Allows users to retrieve information about each CMK, including its identifiers,
creation date, rotation status, key policy, and more.

Allows users to create CMKs that they can administer or use. When users create a CMK,
they can set permissions in the CMK's key policy. This
means users can create CMKs with any permissions they want, including allowing themselves
to administer or use the CMK. The AWSKeyManagementServicePowerUser policy does not allow users to administer
or use any other CMKs, only the ones they create.

Customer Managed Policy Examples

In this section, you can find example IAM policies that allow permissions for various
AWS KMS actions.

Important

Some of the permissions in the following policies are allowed only when the CMK's
key
policy also allows them. For more information, see AWS KMS API Permissions
Reference.

Prevent a User from Disabling or
Deleting Any CMKs

The following policy prevents a user from disabling or deleting any CMKs, even when
another IAM policy or a key policy allows these permissions. A policy that explicitly
denies permissions overrides all other policies, even those that explicitly allow
the same
permissions. For more information, see Determining Whether a Request is Allowed or Denied in the
IAM User Guide.